{ "type": "Domain", "indicator": "oryz.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/oryz.com", "alexa": "http://www.alexa.com/siteinfo/oryz.com", "indicator": "oryz.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4166348720, "indicator": "oryz.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6948bf9b3028d537f8b1290f", "name": "IOC - Black Hole of Trust: SEO Poisoning in Silver Fox\u2019s Space Odyssey", "description": "Zero Trust is often touted as the ultimate defence for organisations, yet even threat actors sometimes leave the door unlocked, creating the perfect opening for us to walk through. This publication presents our findings on an ongoing campaign orchestrated by Silver Fox,\nuncovered through an insecure web panel identified as part of our Threat Intelligence\noperations.", "modified": "2026-01-21T03:08:45.079000", "created": "2025-12-22T03:48:43.532000", "tags": [ "cloud hosting", "domain alibaba", "valleyrat", "filename hash", "domain link", "ip link", "domain tencent" ], "references": [ "https://www.nccgroup.com/research-blog/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 2, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 12 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book2.csv", "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf", "https://www.nccgroup.com/research-blog/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "Silver Fox" ], "malware_families": [], "industries": [ "Medical", "Technology", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6948bf9b3028d537f8b1290f", "name": "IOC - Black Hole of Trust: SEO Poisoning in Silver Fox\u2019s Space Odyssey", "description": "Zero Trust is often touted as the ultimate defence for organisations, yet even threat actors sometimes leave the door unlocked, creating the perfect opening for us to walk through. This publication presents our findings on an ongoing campaign orchestrated by Silver Fox,\nuncovered through an insecure web panel identified as part of our Threat Intelligence\noperations.", "modified": "2026-01-21T03:08:45.079000", "created": "2025-12-22T03:48:43.532000", "tags": [ "cloud hosting", "domain alibaba", "valleyrat", "filename hash", "domain link", "ip link", "domain tencent" ], "references": [ "https://www.nccgroup.com/research-blog/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 2, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 12 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69482851d7b116174128285b", "name": "Black Hole of Trust: SEO Poisoning in Silver Fox's Space Odyssey", "description": "Silver Fox, an advanced persistent threat (APT) group based in China, has been active since its emergence in 2022, with significant operations documented through 2024. The group's tactics, techniques, and procedures (TTPs) notably include SEO poisoning to direct users to malicious domains masquerading as legitimate applications, such as Microsoft Teams. This campaign was partially uncovered through an exposed link management panel that is believed to facilitate the tracking of download activity for backdoor installer applications.", "modified": "2026-01-20T16:05:07.439000", "created": "2025-12-21T17:03:13.273000", "tags": [ "remote access", "holdinghands", "gh0st", "seo" ], "references": [ "https://www.nccgroup.com/media/yc3dlppc/black-hole-of-trust-seo-poisoning-in-silver-fox-s-space-odyssey.pdf" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Financial", "Medical", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 45, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "oryz.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "oryz.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1777017742.0364757 }